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Abstract 

o 

£SJ ' The classical family of [n, k] q Reed-Solomon codes over a field ¥ q consist of the evaluations 

of polynomials / € ¥ q [X] of degree < k at n distinct field elements. In this work, we consider a 
closely related family of codes, called (order m) derivative codes and defined over fields of large 
characteristic, which consist of the evaluations of / as well as its first m — 1 formal derivatives 
5/5 ' at n distinct field elements. For large enough m, we show that these codes can be list-decoded 

O . in polynomial time from an error fraction approaching 1 — R, where R = kj (nm) is the rate of 

the code. This gives an alternate construction to folded Reed-Solomon codes for achieving the 
optimal trade-off between rate and list error-correction radius. 

Our decoding algorithm is linear-algebraic, and involves solving a linear system to inter- 
polate a multivariate polynomial, and then solving another structured linear system to retrieve 
q{ , the list of candidate polynomials /. The algorithm for derivative codes offers some advantages 

C^) ' compared to a similar one for folded Reed-Solomon codes in terms of efficient unique decoding 

, in the presence of side information. 

Keywords. Reed-Solomon codes, list error-correction, noisy polynomial interpolation, de- 
coding with side information, multiplicity codes, subspace-evasive sets, pseudorandomness. 

^ ■ 1 Introduction 

a: 

Consider the task of communicating information via transmission of n symbols from a large al- 
phabet E over an adversarial channel that can arbitrarily corrupt any subset of up to pn symbols 
(for some error parameter p £ (0, 1)). Error-correcting codes can be used to communicate reliably 
over such a channel. A code C is a judiciously chosen subset of E n that enables recovery of any 
c £ C from its distorted version c + r so long as r has at most pn nonzero entries. The rate R of 
the code C equals , which is the ratio of number of bits of information in the message to the 
total number of bits transmitted. A basic trade-off in this setting is the one between rate R and 
error fraction p. Clearly, R < 1 — p, since the channel can always zero-out the last pn symbols. 
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1.1 Background 



Perhaps surprisingly, the above simple limit can in fact be met, in the model of list decoding. 
Under list decoding, the error-correction algorithm is allowed to output a list of all codewords 
within the target error bound pn from the noisy received word. If this output list-size is small, 
say a constant or some polynomially growing function of the block length, then this is still useful 
information to have in the worst-case instead of just settling for decoding failure. For a survey of 
algorithmic results in list decoding, see [4]. 

List decoding allows one to decode from an error fraction approaching the optimal limit of 
1 — R. In fact, there exist codes of rate R that enable decoding up to a fraction 1 — R — e of 
errors with a list-size bound of 0(l/e) (this follows from standard random coding arguments). 
However, this is a nonconstructive result, with no deterministic way to construct a good code or 
an efficient algorithm to list decode it. Recently, it was shown that list decoding from an error rate 
approaching 1 — R is possible constructively, with an explicit code (the folded Reed-Solomon code) 
and a polynomial time decoding algorithm [8]. However, the list-size guarantee is much larger 
than the 0(l/e) bound achieved by random codes, and is a large polynomial in the block length. 

Before we state the result, let us first recall the definition of the well-known Reed-Solomon codes. 
For integer parameters 1 < k < n, a field F of size > n, and a sequence S = (ai , . . . , a n ) of n 
distinct elements of F, the associated Reed-Solomon (RS) code is 

RSF,s[n,fc] = {(p(a 1 ),...,p(a n )) \ p G ¥[X] of degree < k}. 

The code RSf,s[k, A;] has rate R = k/n, and can be list-decoded from up to a 1 — \^R fraction of 
errors [12, 9]. It is not known if list decoding some instantiation of Reed-Solomon codes from 
a larger radius is possible. At the same time, it is also not known if there are some RS codes 
for which the list-size could grow super-polynomially beyond this radius. For a more general 
problem called "list recovery," it is known that the error fraction cannot be improved for certain 
RS codes [7]. 

It turns out one can decode beyond the 1 — \fR bound by augmenting the RS encoding with 
some extra information. Parvaresh and Vardy used the evaluations of polynomials carefully cor- 
related with the message polynomial p also in the encoding [11]. However, the encodings of the 
extra polynomial(s) cost a lot in terms of rate, so their improvement is confined to low rates (at 
most 1/16) and does not achieve the optimal 1 — R radius. Later, Guruswami and Rudra consid- 
ered a "folded" version of RS codes [8], which is really just the RS code viewed as a code over a 
larger alphabet. More precisely, the order-m folded Reed-Solomon code is defined as follows. 

Definition 1. Let F be a field of size q with nonzero elements {1,7,..., 7 n_1 } for n = q — 1, where 
7 is a primitive element of F. Let m > 1 be an integer which divides re. Let 1 < k < re be the degree 
parameter. 

The folded Reed-Solomon code FRSp 7 ^ [k] is a code over alphabet F m that encodes a polynomial 
/ G ¥[X] of degree k as 
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It is shown in [8] that the above code can be decoded up to an error fraction pa 1 — y-^^ij " 
for any parameter s, 1 < s < m, where R = k/n is the rate of the code. (For s = 1, the performance 
ratio is the 1 — \fR bound, but the radius improves for large s and m S> s. For example, picking 
s k 1/e and m pa 1/e 2 , the list decoding radius exceeds 1 — R — e.) The bound on list-size is g s_1 , 
and the decoding complexity is of the same order. Getting around this exponential dependence 
on s remains an important theoretical question. 

The above algorithm involved finding roots of a univariate polynomial over an extension field 
of large degree over the base field F. Recently, an entirely linear-algebraic algorithm was discov- 
ered in [6] which avoids the use of extension fields. Although the error fraction decoded by the 

linear-algebraic algorithm is smaller — it is ^1 — m ™^ hl ^ for the above folded RS codes — it 

can still be made to exceed 1 — R — e for any e > by the choices s pa 1/e and m ~ 1/e 2 . The 
advantage of the algorithm in [6] is that except for the step of pruning an (s — 1) -dimensional 
subspace to filter the close-by codewords, it has quadratic running time. 



1.2 This work 



In this work, we consider another natural variant of Reed-Solomon codes (over fields of large char- 
acteristic), called derivative codes, defined formally in Section 2. Informally, rather than bundling 
together evaluations of the message polynomial at consecutive powers of 7, in an order-?n deriva- 
tive code, we bundle together the evaluations of / as well as its first (m — 1) derivatives at each 
point. This might appear to cause a loss in rate (similar to the Parvaresh-Vardy construction [11]), 
but it does not, as one can pick higher degree polynomials while still maintaining the distance. 
(For two distinct degree I polynomials, there can be at most l/m points where they and their first 
(m — 1) derivatives agree.) 

In Theorem 6 and Corollary 7, we show our main result that derivative codes also achieve 
list-decoding capacity; that is, for any e > 0, for the choice m pa 1/e 2 , we can list decode order- 
m derivative codes of rate R from a 1 — R — e fraction of errors. The list-size and running time 
behavior is similar to the linear-algebraic algorithm for folded RS codes [6], and once again one 
can find, by just solving two linear systems, a low-dimensional space that contains all the close-by 
codewords. 

Recently, multivariate versions of derivative codes were used in [10] to give locally decodable 
codes. In that work, these codes were referred to as multiplicity codes, but we refer to our codes 
as derivative codes to emphasize our use of formal derivatives rather than Hasse derivatives in the 
encoding. A side benefit of the changed terminology is to single out the important univariate case 
with a different name. 

Motivation. Prior to this work, the only known explicit codes list decodable up to the optimal 
1 — R bound were based on folded Reed-Solomon codes (or with smaller alphabets, certain folded 
algebraic-geometric codes [5], though these are not fully explicit). It seems like a natural ques- 
tion to seek alternate algebraic constructions of such codes. In addition, there is the possibility 
that a different construction would have better complexity or list-size guarantees, or offer other 
advantages. 

The derivative code construction is arguably just as natural as the folded Reed-Solomon one. 



3 



Interestingly, it falls in the framework of Parvaresh-Vardy codes, where the correlated polynomials 
are formal derivatives. The special properties of derivatives ensures that one need not suffer any 
loss in rate, and at the same time enable list decoding up to a much larger radius than the bound 
for RS codes. Further, our algorithm for list decoding derivative codes has some nice properties 
with respect to decoding with side information, and might have some benefits in practice as well. 
However, as with the case of folded RS codes, the proven bound on the worst-case list size has an 
exponential dependence on e (when the decoding radius is 1 — R — e), and it remains a challenge 
to improve this. We should note that we cannot rule out the possibility that a better analysis can 
improve the bound; in general it is a very hard problem to show list-size lower bounds for these 
algebraic codes. 

We end the introduction with a brief overview of the algorithm, and speculate on a possible 
benefit it offers compared to the folded RS case. At a high level, our decoding algorithm is similar 
to those used for Reed-Solomon and folded Reed-Solomon codes — it consists of an interpolation 
step, and then a second step to retrieve the list of all polynomials satisfying a certain algebraic 
condition. The interpolation step consists of fitting a polynomial of the form Aq(X) + A\(X)Y\ + 
A 2 (X)Y 2 + • • • + A S (X)Y S . (Note that the total degree in the Y/s is 1, and we do not use "mul- 
tiplicities" in the interpolation.) The second step consists of solving the "differential equation" 
A (X) + Ai(X)f(X) + A 2 (X)f'(X) + ... + A s (X)f( s -V(X) = for low-degree polynomials /. 
(Independently, a list decoding guarantee similar to the Guruswami-Rudra bound for folded RS 
codes has been obtained by Bombieri and Kopparty [1] based on using higher powers of Yi as well 
as multiplicities in the interpolation.) 

The differential equation imposes a system of linear equations on the coefficients of /. The 
specific structure of this linear system is different from the one for folded RS codes in [6]. In par- 
ticular, once the values of / and its first s — 2 derivatives at some point a (at which the interpolated 
polynomial A s doesn't vanish) are known, the rest are determined by the system. This has two ad- 
vantages. First, having these values (at a random a) as side information immediately leads to an 
efficient unique decoding algorithm. Second, in practice, A s may not have many zeroes amongst 
the evaluation points, in which case we can obtain the values of f(ai), . . . , f^ s ~ 2 \ai) from the re- 
ceived word (instead of trying all q s ~ l possibilities). While we have not been able to leverage this 
structure to improve the worst-case list-size bound, it is conceivable that additional ideas could 
lead to some improvements. 

2 Derivative codes 

We denote by ¥ q the field of q elements. For a polynomial / G F g [X], we denote by /' its formal 
derivative, i.e. if f(X) = f + f 1 X + ... + f e X e , then f'(X) = £} =1 ifiX^ 1 . We denote by /« the 
formal i'th derivative of /. 

Definition 2 (m'th order derivative code). Let < m G Z. Let a\, . . . , a n G ¥ q be distinct, and let 
the parameters satisfy m < k < nm < q. Further assume that char(F 9 ) > k. 

The derivative code Der q m \n,k] over the alphabet F™ encodes a polynomial / G F 9 [X] of 
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degree k — 1 by 



V 



/V) 
/ (m - 1} (ai) 



/(02) 
/ (m - 1} («2) 



f(a n ) 
/'(an) 

/fa -1 ) (a 



(2) 



Remark 1. Note that the case m = 1 is a Reed-Solomon code. 

This code has block length n and rate i? = — . The minimum distance is n — I ^— 

O nm L m J 



(1-R)n. 



3 List decoding derivative codes 



Suppose we have received the corrupted version of a codeword from the derivative code Der q m [n, k] 
as a string y G (F™) n , which we will naturally consider as an m x n matrix over ¥ q : 

( yii yi2 ■■■ yin\ 

2/21 2/22 • • • 2/2n 

\y m i y m 2 ■ ■ ■ ymnj 

The goal is to recover all polynomials / of degree k — 1 whose encoding (2) agrees with y in 
at least t columns. This corresponds to decoding from n — t symbol errors for the derivative code 

Derfa [n, k]. When t > (n + k/m)/2, the polynomial /, if it exists, is unique, and in this regime 
an efficient decoding algorithm was given in [10] by adapting the Welch-Berlekamp algorithm for 
Reed-Solomon codes [14, 2]. 

We adapt the algebraic list-decoding method used for Reed-Solomon and folded Reed-Solomon 
codes to the derivative code setting. The decoding algorithm consists of two steps — (i) interpo- 
lation of an algebraic condition (that must be obeyed by all candidate polynomials /), and (ii) 
retrieving the list of candidate solutions / (from the algebraic condition found by the interpola- 
tion step). 

Our algorithm can be viewed as a higher dimensional analog of the Welch-Berlekamp algo- 
rithm, where we use multivariate polynomials instead of bivariate polynomials in the interpola- 
tion. This has been used in the context of folded Reed-Solomon codes in [13, Chap. 5] and [6], and 
here we show that derivative codes can also be list decoded in this framework. 



3.1 Interpolation 

Let W denote the ¥ q -linear subspace of ¥ q [X, Yi, . . . , Y m \ consisting of polynomials that have total 
degree at most 1 in the 17s, i.e, W contains polynomials of the form Bq{X) + B\ (X)Y\ + B2{X)Y2 + 
• • • + B m (X)Y m for some polynomials B, L e F g [X]. 

Let D be the F g -linear map on W defined as follows: For p G F 9 [X], and 1 < i < m, 

D(p)(X,Y 1 ,...,Y m )=p'(X) (4) 
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and 

D(pY i )(X,Y 1 ,...,Y m )=p'(X)Y l +p(X)Y l+1 . (5) 

where we take Y m+ i = Y\. 

Let s, 1 < s < m, be an integer parameter in the decoding algorithm. The goal in the interpo- 
lation step is to interpolate a nonzero polynomial Q G ¥ q [X, Y\, Y 2 , . . . , Y s ] of the form 

A (X) + A 1 (X)Y 1 + A 2 (X)Y 2 + • • • + A S {X)Y S (6) 

satisfying the following conditions for each i, 1 < i < n: 

Q(ai,yu, . . . ,y si ) = and (D k Q)(ai,y u , . . . ,y mi ) = {k = 1, . . . , m - s), (7) 

where D k denotes the /c-fold composition of the map D. 

Observation. For each i, the conditions (7) are a collection of(m — s + 1) homogeneous linear constraints 
on the coefficients of the polynomial Q. 

The following shows why the interpolation conditions are useful in the decoding context. 

Lemma 1. Suppose Q of the form (6) satisfies the conditions (7). If the received word (3) agrees with the 
encoding of f at location i, that is, /^)(aj) = yj+i^ifor < j < m, then the univariate polynomial 
Q{X) := Q(X, f(X), ft'-^iX)) satisfies Q(aij = as well as Q {k \ai) = Ofor k = 1, . . . , m - s, 
where Q^ k \X) is that the k'th derivative of Q. 

Proof. Notice the form that our definition of the map D takes when Yi = f^ l ~ 1 \X) for 1 < i < m. 
We have D(p) = p' for p G F g [X], and D(pf^ l ~^) = p'f( l ~ 1 ^ + pf®, which is simply the product 
rule for derivatives. Thus when (yu, y 2 i, • • • , ymi ) = (/(at), f'ioi), /^-^(Oi)), the conditions 
(7) enforce that Q and its first m — s derivatives vanish at etj. 

□ 

We next argue that a nonzero interpolation polynomial Q exists and can be found efficiently. 
Lemma 2. Let 

n(m - s + 1) - k + 1 

« = — ; • (o) 

s + 1 

Then, a nonzero Q of the form (6) satisfying the conditions (7) with deg(^4o) < d + k — 1 and deg(A,-) < d 
for 1 < j < s exists and can be found in 0((nm) 3 ) field operations over ¥ q . 

Proof. Under the stated degree restrictions, the number of monomials in Q is 

(d + l)s + d + k = (d + l)(s + 1) + k - 1 > n(m - s + 1). 

where the last inequality follows from the choice (8) of d. The number of homogeneous linear 
equations imposed on the coefficients of Q in order to meet the interpolation conditions (7) is 
n(m — s + 1). As this is less than the number of monomials in Q, the existence of a nonzero Q 
follows, and it can be found by solving a linear system over ¥ q with at most nm constraints. □ 
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3.2 Retrieving candidate polynomials 



Suppose we have a polynomial Q(X, Y±, . . . , Y s ) satisfying the interpolation conditions (7). The 
following lemma gives an identity satisfied by any / which has good agreement with the received 
word. 



Lemma 3. If f G ¥[X] has degree at most k — 1 and an encoding (2) agreeing with the received word y in 

d+k-l 
m— s+1 ' 

Q(X,f(X),f'(X),...J^- 1 \x))=0. 



at least t columns for t > then 



Proof Let Q(X) = Q(X, f(X), /^"^(X)). By Lemma 1, an agreement in column i means that 
Q(X) satisfies Q(aj) = and that the kth derivative Q^ k \ai) is also zero for k = 1, . . . ,m — s. In 
particular, t column agreements yield at least t(m — s + 1) roots (counting multiplicities) for Q. 

The degree of Q is at most d + k — 1, as f and each of its derivatives has degree at most k — 1. 
Then as Q is univariate of degree at most d + k — 1, Q has at most d + k — 1 roots if it is nonzero. 
Thus if t > (d + fc - l)/(m - s + it must be that Q(X) = 0. □ 

With our chosen value of d from (8), this means that any / which agrees with y on more than 

n s k — 1 

+ -tt r-r (9) 



s + 1 s + lm-s + 1 

columns satisfies Q(X, f(X), f'(X), . . . , f ( - s ~ 1 \X)) = 0. So in the second step, our goal is to find 
all polynomials / of degree at most k — 1 such that 

MX) + Ai(X)/(X) + A 2 (X)f'(X) + ...+ A s (X)f^~ 1 \X) = (10) 

Let Ai(X) = YnSo aijXi for each i. Note that the above constraint (10) gives a linear system 
over F in the coefficients of / = /o + /iX + • • • + fk-iX k ~ 1 . In particular, the set of solutions 
(/o) /i) • • • j /fe-i) is an affine space, and we can find it by solving the linear system. Our goal now 
is to bound the dimension of the space of solutions by exposing its special structure and also use 
this to efficiently find an explicit basis for the space. 

Lemma 4. It suffices to give an algorithm in the case that the constant term a s o of A s is nonzero. 

Proof. If A S (X) =£. 0, since deg(^4 s ) < d < nm < q, then there is some a £¥ q such that A s (a) / 0, 
so we can consider a "translate" of this problem by a; that is, A S (X + a) has nonzero constant 
term, so we can solve the system with the translated polynomial Q(X + a, Y± , . . . , Y m ) and recover 
candidate messages by translating each solution g(X) to f(X) = g(X — a). 

If A S (X) = 0, we simply reduce the problem to a smaller one with s rather than s + 1 interpo- 
lation variables. Note that this must terminate since Q is nonzero and so at least one A4 for i > 1 
is nonzero. □ 

We can now show: 
Lemma 5. If a S Q ^ 0, the solution space to (10) has dimension at most s — 1. 
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Proof. For each power X\ the coefficient of X 1 in A (X) + A 1 (X)f(X) + ■■■ + A s (X)f( s ~ 1 \X) is 

m + {aiofi + ail/i-l H 1- aii/o) + (o2o(« + + a 2\ifi H h «2i/i) 

+ • • • + (a s0 (i + s - l)(i + s - 2) • • • (* + l)/ i+s -i + • • • + a si (s - l)!/ s _i) 

' * (fc + j_l)! 

-ooi + 2^ z_> jfcj a j(i-k)jk+j-i- 

3=1 k=0 

If (/o, . . . , /fe-i) is a solution to (10), then this coefficient is zero for every i. 

The coefficient of X 1 for each i depends only on fj for j < i + s, and the coefficient of /i+ s -i is 
a s o(^ + s — + s — 2) • • • (i + 1), which is nonzero when i + s < k since char(F g ) > fc. Thus, if we 
fix /o, fx, . . . , fs-2, the rest of the coefficients f s -i, ... , fk-i are uniquely determined. In particular, 
the dimension of the solution space is at most s — 1. □ 

Remark 2. The bound of Lemma 5 is tight for arbitrary linear systems. Indeed, if 

Q(X, Yi, . . . ,Y S ) = V tllx l Y i+1 , 

then any polynomial of degree less than s with zero constant term satisfies Q(X, f(X), . . . , f^ s ~ 1 \X)) = 
0. This is because any monomial f(X) = X^ for < j < s — lisa solution, and our solution space 
is linear. Of course, we do not know if such a bad polynomial can occur as the output of the 
interpolation step when decoding a noisy codeword of the derivative code. 

Combining these lemmas and recalling the bound (9) on the number of agreements for suc- 
cessful decoding, we have our main result. 

Theorem 6 (Main). For every 1 < s < m, the derivative code Der^ [n, k\ (where char(F ? ) > k) satisfies 
the property that for every received word y e F™ m , an affine subspace S C F q [X] of dimension at most 
s — 1 can be found in polynomial time such that every /eF, [X] of degree less than k whose derivative 
encoding differs from y in at most 

s ( k 
s + l \ (m-s + 1) 

positions belongs to S. 

Now by setting s « 1/e and m « 1/e 2 , and recalling that the rate of Deiq m) [n, k] equals k / (nm), 
we can conclude the following. 

Corollary 7. For all R e (0, 1) and all e > 0,/or a suitable choice of parameters, there are derivative codes 

Detq [n, k] of rate at least R which can be list decoded from a fraction 1 — R - e of errors with a list-size 
ofqO^M. 

4 Some remarks 

We now make a couple of remarks on coping with the large list-size bound in our decoding algo- 
rithms. 
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4.1 Reducing the list size 



One approach to avoid the large list size bound of « q s for the number of codewords near / is to 
draw codewords from so-called subspace-evasive subsets of F^ rather than all of F^. This approach 
was used in [6] to reduce the list-size for folded Reed-Solomon codes, and we can gain a similar 
benefit in the context of list decoding derivative codes. A subset of F^ is (s, L)-subspace-evasive 
if it intersects with every linear subspace S C ¥ q of dimension at most s in at most L points. 

For any e > 0, a probabilistic argument shows that there exist (s, 0(s/e))-subspace-evasive 
subsets of F* of size In fact, we have the following stronger statement, proved in [6]. Fix a 

basis 1, /5, . . . , of F^ over ¥ q and denote K = ¥ q k. For P G K[X] and an integer r, 1 < r < k, 
define 

S(P,r) = {(ao,...,a k -i) G Fj \ P(a + a x $ + • • • + a k . x ^ x ) G F,- span(l, /3, . . . , p r ~ 1 )}. 

Lemma 8 ([6]). Let qbea prime power, k > 1 an integer. Let ( G (0, 1) and s G Z satisfying 1 < s < (k/2. 
Let P G K[X] be a random polynomial of degree t and define V = S(P, (1 — C)^)- Then for t > n(s/(), 
with probability at least 1 — q~ n ( k ^ over the choice of P, V is an (s, t)-subspace-evasive subset of¥ q of size 
at least q^-^ k /2. 

By taking messages from V rather than all of ¥ q , we suffer a small loss in rate, but give a 
substantial improvement to the list size bound; since our solution space is linear, the number 
of candidate messages is reduced from « q s to 0(s/e). In particular, setting our parameters as 
in Theorem 6, we can list-decode from a I — R — e fraction of errors with a list size of at most 
0(l/e 2 ). However, the code construction is not explicit but only a randomized (Monte Carlo) one 
that satisfies the claimed guarantees on list-decoding with high probability. 

4.2 Decoding with side information 

The decoding described in the previous section consists of trying all choices for the coefficients 
/o, . . . , /s-2 and using each to uniquely determine a candidate for /. Note however that for each i, 
the fi is essentially the ith derivative of / evaluated at 0, and can be recovered as /W(0)/i!. Thus 
if the decoder somehow knew the correct values of / and its first s — 1 derivatives at 0, / could be 
recovered uniquely (as long as A s (0) / 0). 

Now, suppose the encoder could send a small amount of information along a noiseless side 
channel in addition to sending the (much longer) codeword on the original channel. In such a 
case, the encoder could choose a G ¥ q uniformly at random and transmit f(a), f'(a), . . . , /^"^(a) 
on the noiseless channel. The decoding then fails only if Ai(a>) = for i which is the largest index 
such that Ai(X) / 0. As the Ai(X) have bounded degree, by increasing the field size q, f can be 
uniquely recovered with probability arbitrarily close to 1. More precisely, we have the following 
claim. 

Theorem 9. Given a uniformly random a G ¥ q and the values f(a), /'(a), . . . , /( s_1 )(a) of the message 
polynomial f, the derivative code Der q m ^ [n, k] can be uniquely decoded from up to 

s ( k 
I n 

s + 1 \ m — s + 1 
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errors with probability at least 1 — ^ over the choice of a. 

Proof. As in the proof of Lemma 4, as long as A s (a) 7^ 0, we may translate the problem by a and 
use the values f(a), f'(a), . . . , f^ s ~^ (a) to uniquely determine the shifted coefficients go, - ■ ■ , g s ~i- 

As A s / 0, and A s is univariate of degree at most d, A s has at most d roots, and so the proba- 
bility that A s (a) 7^ is at least 1 — d/q> 1 — 222, where the last inequality follows from our choice 
of d < nm/s in (8). □ 

Remark 3. In the context of communicating with side information, there is a generic, black-box 
solution combining list-decodable codes with hashing to guarantee unique recovery of the correct 
message with high probability [3]. In such a scheme, the side information consists of a random 
hash function h and its value h(f) on the message /. The advantage of the solution in Theorem 9 
is that there is no need to compute the full list (which is the computationally expensive step, since 
the list size bound depends exponentially on s) and then prune it to the unique solution. Rather, 
we can uniquely identify the first (s — 1) coefficients of the polynomial f(X + a) in the linear 
system (10), after applying the shift X i->- X + a, as /(a), f'(a), . . . , f^ s ~ 2 \a). Then, as argued in 
the proof of Lemma 5, the remaining coefficients are determined as linear combinations of these 
s — 1 coefficients. So the whole algorithm can be implemented in quadratic time. 

Remark 4. The decoder could use the columns of the received word y as a guess for the side 
information /(ai), f'(ai), • • • , f^ s ~ 2 \a-i) ror * = 1,2, ... ,n. Since / agrees with y on more than 
t > Rn positions, as long as A s (ai) = for less than t of the evaluation points a\, we will recover 
every solution / this way This would lead to a list size bound of at most n — t<n. Unfortunately, 
however, there seems to be no way to ensure that A s does not vanish at most (or even all) of the 
points at used for encoding. But perhaps some additional ideas can be used to make the list size 
polynomial in both q, s, or at least exp(0(s))g c for some absolute constant c. 
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